kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #167133
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux - 4.2.0-34.39
---------------
linux (4.2.0-34.39) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1555821
[ Florian Westphal ]
* SAUCE: [nf] netfilter: x_tables: check for size overflow
- LP: #1555353
* SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338
linux (4.2.0-33.38) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1554649
[ Upstream Kernel Changes ]
* Revert "drm/radeon: call hpd_irq_event on resume"
- LP: #1554608
* cxl: Fix PSL timebase synchronization detection
- LP: #1532914
linux (4.2.0-32.37) wily; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1550045
[ Kamal Mostafa ]
* Merged back Ubuntu-4.2.0-31.36
linux (4.2.0-31.36) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1548579
[ Andy Whitcroft ]
* [Debian] hv: hv_set_ifconfig -- convert to python3
- LP: #1506521
* [Debian] hv: hv_set_ifconfig -- switch to approved indentation
- LP: #1540586
* [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
- LP: #1540586
[ Carol L Soto ]
* SAUCE: IB/IPoIB: Do not set skb truesize since using one linearskb
- LP: #1541326
[ Dan Streetman ]
* SAUCE: nbd: ratelimit error msgs after socket close
- LP: #1505564
[ Tim Gardner ]
* Revert "SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover
failure"
- LP: #1541635
* Revert "SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port
1"
- LP: #1541635
* [Config] ARMV8_DEPRECATED=y
- LP: #1545542
[ Upstream Kernel Changes ]
* x86/xen/p2m: hint at the last populated P2M entry
- LP: #1542941
* mm: add dma_pool_zalloc() call to DMA API
- LP: #1543737
* sctp: Prevent soft lockup when sctp_accept() is called during a timeout
event
- LP: #1543737
* xen-netback: respect user provided max_queues
- LP: #1543737
* xen-netfront: respect user provided max_queues
- LP: #1543737
* xen-netfront: update num_queues to real created
- LP: #1543737
* iio: adis_buffer: Fix out-of-bounds memory access
- LP: #1543737
* KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
- LP: #1543737
* KVM: PPC: Fix ONE_REG AltiVec support
- LP: #1543737
* x86/irq: Call chip->irq_set_affinity in proper context
- LP: #1543737
* drm/amdgpu: fix tonga smu resume
- LP: #1543737
* perf kvm record/report: 'unprocessable sample' error while
recording/reporting guest data
- LP: #1543737
* hrtimer: Handle remaining time proper for TIME_LOW_RES
- LP: #1543737
* timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
* posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
* itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
* drm/amdgpu: Use drm_calloc_large for VM page_tables array
- LP: #1543737
* drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2
- LP: #1543737
* drm/radeon: properly byte swap vce firmware setup
- LP: #1543737
* ACPI: Revert "ACPI / video: Add Dell Inspiron 5737 to the blacklist"
- LP: #1543737
* ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot()
- LP: #1543737
* hwmon: (dell-smm) Blacklist Dell Studio XPS 8000
- LP: #1543737
* usb: cdc-acm: handle unlinked urb in acm read callback
- LP: #1543737
* usb: cdc-acm: send zero packet for intel 7260 modem
- LP: #1543737
* cdc-acm:exclude Samsung phone 04e8:685d
- LP: #1543737
* usb: hub: do not clear BOS field during reset device
- LP: #1543737
* USB: cp210x: add ID for IAI USB to RS485 adaptor
- LP: #1543737
* USB: visor: fix null-deref at probe
- LP: #1543737
* USB: serial: visor: fix crash on detecting device without write_urbs
- LP: #1543737
* USB: serial: option: Adding support for Telit LE922
- LP: #1543737
* ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
- LP: #1543737
* ALSA: seq: Degrade the error message for too many opens
- LP: #1543737
* USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
- LP: #1543737
* arm64: kernel: fix architected PMU registers unconditional access
- LP: #1543737
* USB: option: fix Cinterion AHxx enumeration
- LP: #1543737
* ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
- LP: #1543737
* ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
- LP: #1543737
* virtio_pci: fix use after free on release
- LP: #1543737
* ALSA: bebob: Use a signed return type for get_formation_index
- LP: #1543737
* arm64: errata: Add -mpc-relative-literal-loads to build flags
- LP: #1533009, #1543737
* arm64: mm: avoid calling apply_to_page_range on empty range
- LP: #1543737
* x86/mm: Fix types used in pgprot cacheability flags translations
- LP: #1543737
* powerpc/eeh: Fix PE location code
- LP: #1543737
* SCSI: fix crashes in sd and sr runtime PM
- LP: #1543737
* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
- LP: #1543737
* n_tty: Fix unsafe reference to "other" ldisc
- LP: #1543737
* staging/speakup: Use tty_ldisc_ref() for paste kworker
- LP: #1543737
* tick/nohz: Set the correct expiry when switching to nohz/lowres mode
- LP: #1543737
* irqchip/atmel-aic: Fix wrong bit operation for IRQ priority
- LP: #1543737
* seccomp: always propagate NO_NEW_PRIVS on tsync
- LP: #1543737
* drm/radeon: cleaned up VCO output settings for DP audio
- LP: #1543737
* drm/radeon: Add a common function for DFS handling
- LP: #1543737
* drm/radeon: fix DP audio support for APU with DCE4.1 display engine
- LP: #1543737
* cpufreq: Fix NULL reference crash while accessing policy->governor_data
- LP: #1543737
* cpufreq: pxa2xx: fix pxa_cpufreq_change_voltage prototype
- LP: #1543737
* ALSA: dummy: Disable switching timer backend via sysfs
- LP: #1543737
* drm/vmwgfx: respect 'nomodeset'
- LP: #1543737
* Staging: speakup: Fix getting port information
- LP: #1543737
* x86/mm/pat: Avoid truncation when converting cpa->numpages to address
- LP: #1543737
* serial: 8250_pci: Add Intel Broadwell ports
- LP: #1543737
* perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed
- LP: #1543737
* perf hists: Fix HISTC_MEM_DCACHELINE width setting
- LP: #1543737
* powerpc/perf: Remove PPMU_HAS_SSLOT flag for Power8
- LP: #1543737
* Linux 4.2.8-ckt4
- LP: #1543737
* cxlflash: Resolve oops in wait_port_offline
- LP: #1541635
* cxlflash: Fix to resolve cmd leak after host reset
- LP: #1541635
* cxlflash: Removed driver date print
- LP: #1541635
* cxlflash: drop unlikely before IS_ERR_OR_NULL
- LP: #1541635
* powerpc/powernv: Panic on unhandled Machine Check
- LP: #1541635
* cxlflash: Fix to avoid virtual LUN failover failure
- LP: #1541635
* cxlflash: Fix to escalate LINK_RESET also on port 1
- LP: #1541635
* IB/ipoib: Suppress warning for send only join failures
- LP: #1542444
* IB/ipoib: Expire sendonly multicast joins
- LP: #1542444
* IB/ipoib: increase the max mcast backlog queue
- LP: #1542444
* IB/ipoib: For sendonly join free the multicast group on leave
- LP: #1542444
* qeth: initialize net_device with carrier off
- LP: #1541907
* mwifiex: remove USB8897 chipset support
- LP: #1494593
* powerpc/powernv: Fix stale PE primary bus
- LP: #1546145
* ALSA: usb-audio: avoid freeing umidi object twice
- LP: #1546177
- CVE-2016-2384
-- Brad Figg <brad.figg@xxxxxxxxxxxxx> Thu, 10 Mar 2016 13:46:44 -0800
** Changed in: linux (Ubuntu Wily)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2384
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338
Title:
Linux netfilter IPT_SO_SET_REPLACE memory corruption
Status in linux package in Ubuntu:
Fix Committed
Status in linux-armadaxp package in Ubuntu:
Invalid
Status in linux-keystone package in Ubuntu:
Invalid
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux source package in Precise:
Fix Committed
Status in linux-armadaxp source package in Precise:
Fix Committed
Status in linux-keystone source package in Precise:
Invalid
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux source package in Trusty:
Fix Committed
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-keystone source package in Trusty:
Fix Committed
Status in linux-lts-utopic source package in Trusty:
Fix Committed
Status in linux source package in Vivid:
Fix Committed
Status in linux-armadaxp source package in Vivid:
Invalid
Status in linux-keystone source package in Vivid:
Invalid
Status in linux-lts-utopic source package in Vivid:
Invalid
Status in linux source package in Wily:
Fix Released
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-keystone source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-keystone source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Bug description:
[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
ioctl in the netfilter code for iptables support. This ioctl is can be
triggered by an unprivileged user on PF_INET sockets when unprivileged
user namespaces are available (CONFIG_USER_NS=y). Android does not
enable this option, but desktop/server distributions and Chrome OS
will commonly enable this to allow for containers support or
sandboxing.
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset:
newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;
This means that an out of bounds 32-bit write can occur in a 64kb
range from the allocated heap entry, with a controlled offset and a
partially controlled write value ("pos") or zero. The attached proof-
of-concept (netfilter_setsockopt_v3.c) triggers the corruption
multiple times to set adjacent heap structures to zero.
This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
appears that a similar codepath is accessible via
arp_tables.c/ARPT_SO_SET_REPLACE as well.
[Fix]
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150
[Test Case]
Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
gcc net*v3.c -o v3
./v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions